Per our CPS and the BR/EV requirements, we always abide by the latest version of the BRs
>From Section 8.3: " [Name of CA] conforms to the current version of the CA/Browser Forum Guidelines for Issuance and Management of Extended Validation Certificates published at http://www.cabforum.org. In the event of any inconsistency between this document and those Guidelines, those Guidelines take precedence over this document." Therefore, any CA compliant would have to abide by the latest version, regardless of when their CPS is published. Asserting the appropriate OID in the certificate is an assertion of compliance with the latest version of the guidelines, meaning versioning is largely irrelevant. Jeremy -----Original Message----- From: Ryan Sleevi [mailto:[email protected]] Sent: Sunday, July 27, 2014 9:11 PM To: Jeremy Rowley Cc: '[email protected]'; [email protected]; [email protected] Subject: RE: Proposal: Advocate to get Section 9.3.1 (Reserved Certificate Policy Identifiers) made mandatory. On Sun, July 27, 2014 7:41 pm, Jeremy Rowley wrote: > You can tell which BR version > the cert complies with by looking at the issuance date, No. You can't. Surely you don't mean to tell me that if I go find a cert DigiCert issued last week that I can safely assume it's going to conform to BR 1.1.8, do you? The most recent WebTrust Seal linked from your page, Seal ID 1527, documents that DigiCert was audited to WebTrust 2.0 by KPMG, dated 12 July 2013, and covering through 31 March 2013. Your CP (v4.06) and CPS (v4.06) are both dated May 14, 2014. But BR 1.1.8 is dated 5 June 2014 (Replacing 1.1.7, dated 3 April 2014). Can I tell, from looking at the issuance date, which BR version a cert issued on July 20 2014 was issued? Would I be safe in assuming 1.1.8, even though it's newer than your CP/CPS? Should I assume your CP/CPS were updated to reflect through 1.1.7? What about the fact that WebTrust for BR, v1.1 (Amended), the most recent version published by AICPA, is set with an effective Jan 31, 2013 date, which corresponds to the time between BR 1.1.1 and BR 1.1.2 (1.1.2 introducing the language regarding wildcard certs and gTLDs)? There's no reasonable, programatic way to determine which, out of all these criteria, DigiCert is claiming conformance to. Short of manually inspecting CP/CPSes. This is where the OID nightmare comes from. There are 15 versions of the BRs. There are three versions of WebTrust for BRs. I haven't bothered to count how many ETSI versions. From the DigiCert repository ( http://www.digicert.com/ssl-cps-repository.htm ) I see there have been four versions of your CP/CPS since the BRs went into effect. And this, of course, ignores the practice that some CAs (but presumably not Digicert) practice, of 'backdating' the issuance date of certs for compatibility reasons (or, allegedly, accounting, although that's a bit specious). _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
